Recently I got a request from my client to configure the TIBCO EMS server with windows active directory for authentication. In this post, I will explain how to configure the EMS with LDAP or AD configurations.
Below are the parameters which you need to modify in your tibemsd.conf file. The sample config files are available under EMS_HOME/samples/config
eg. /opt/tibco/ems/8.5/samples/config
First what you need to do for this is to add the below config details to tibemsd.conf file. the *base_dn values will vary depends on how your LDAP is configured and you can get this information from the LDAP admin.
usually, the ldap_user_attribute value will be cn but in my case it’s sAMAccountName. If you are using an SSL connection for LDAP/AD then you need to provide a certificate path for the ldap_tls_cacert_file attribute. Please note that either you can refer the certificates themselves or the certificate Keystore which is in your server. if you are using the certificate directly make sure you have the complete certificate chain in it. The prefered way is to use the cert-store as you can manage it easier for all components.
ldap_url = ldaps://corp.mycompany.com:636
ldap_principal = "cn=Manager"
ldap_credential = password
ldap_user_class = person
ldap_user_base_dn = "OU=mycompany,DC=corp,DC=mycompany,DC=com"
ldap_user_scope = subtree
ldap_group_base_dn = "ou=TIBCO,ou=groups,ou=mycompany,DC=corp,DC=mycompany,DC=com"
ldap_group_scope = subtree
ldap_group_filter = "(&(&(cn=%s)(objectClass=groupofUniqueNames)))"
ldap_static_group_class = groupofUniqueNames
ldap_static_group_attribute = cn
ldap_static_member_attribute = member
ldap_dynamic_group_class = groupofURLs
ldap_dynamic_group_attribute = cn
ldap_dynamic_member_url_attribute = memberURL
ldap_tls_cacert_file = /opt/tibco/tibcojre64/1.8.0/lib/security/cacerts
ldap_user_attribute = sAMAccountName
Once all the above configurations are added to tibemsd.conf file, the final parameter you need to edit is user_auth. Modify the parameter like below.
################ LDAP Configuration ####################################
user_auth = LDAP,LOCAL
Now you can restart the EMS and if all configured values are correct, then the EMS will start using the LDAP for authentication. Please note that, any error in LDAP configuration won’t bring down the EMS server. it’s just log a message and will start without any issues.
How to Debug LDAP connection Failures in TIBCO EMS?
To enable debug for LDAP connections, add +LDAP_DEBUG log_trace attribute in tibemsd.conf file and restart the EMS. it will start logging the debug details.
How to set up permission for LDAP/AD user and Groups in TIBCO EMS?
When you run show user/s or show group/s commands it won’t list any LDAP/AD users or groups details. Only the users and groups that meet the below criteria at the time the command is issued will appear. External users and groups will have an asterisk by their names in the show user/s or show group/s commands.
- an externally-defined user successfully authenticates
- a user belonging to an externally-defined group successfully authenticates
- an externally-defined user has been added to a locally-defined group
- permissions on a topic or queue have been granted to an externally-defined user or group
You can grant or revoke permissions for a external user in the same way you do for locally defined users. But when its comes to the LDAP/AD group, TIBCO EMS is not capable of managing the AD/LDAP group so we don’t have a way to set permission for the LDAP/AD groups in TIBCO EMS. Instead you need to create a group locally and add the external users to this locally defined group. Then you can set privilege’s for this group which will then inherited by the users. You have to manage tis group manually as this group wont import the users from the LDAP/AD users.
Hope this post helps you for configuring LDAP/AD for TIBCO EMS. Let me know your feedback and suggestions in the comment section below.